The present invention relates generally to systems and methods for secure client-server communication, and more specifically to secure client-server communication using certificates and user biometrics.
To facilitate secure electronic communications over public networks, such as the Internet, it is necessary that parties engaging in applications such as electronic commerce authenticate each other. Authentication is the process of verifying the identity of a party. One popular authentication technique is the use of digital certificates. The use of digital certificates in allowing a user to access a secure server is discussed with reference to FIG. 1.
FIG. 1 depicts a system 100 for use in secure communications using digital certificates. Referring to FIG. 1, a user 101 desires secure communications with a secure server 112 using a browser application 104 running on a client computer 102. The communications will take place over a public network such as Internet 110. In order to facilitate these electronic communications, each party to the communication (that is, secure server 112 and user 101) obtains a digital certificate from a certificate authority 114.
According to conventional methods, an entity obtains a certificate by the following method. The entity submits a request for a certificate, along with identification information identifying the entity, to a certificate authority. The certificate authority verifies the identity of the entity using the identification information. The certificate authority then generates a certificate, signs it using a private key, and transmits the certificate to the entity. Parties wishing to authenticate the entity obtain the certificate from the entity and verify the certificate signature using the certificate authority""s public key.
To establish a secure connection, digital certificates are exchanged between parties using a mechanism referred to as secure sockets layer (SSL) protocol. This mechanism permits the automatic exchange of digital certificates between parties.
Information exchange between parties has become increasingly secure with the SSL protocol and digital certificates, rendering computer-to-computer data transmissions essentially tamper-proof. However, unauthorized parties can participate in a human-to-computer session as unknown and undetected imposters, because unique user authentication is not ensured during an SSL session. Conventional SSL techniques ensure only the identity of the computer in the transaction, and not the identity of the computer""s user.
Another disadvantage of the conventional SSL process is that a certificate authority is involved only in the creation of certificates. It is not involved in the transactions using the certificates. However, it is desirable to exclude certificates that are no longer valid from these transactions. Certificate authorities address this issue by publishing certificate revocation lists that list invalid certificates. However, in order to prevent the use of invalid certificates, a secure server must frequently check the revocation lists published by each certificate authority. Because these lists are very large, this is a time-consuming process. Further, once a certificate is revoked, a significant amount of time may elapse before the corresponding revocation list is updated to reflect the revocation. For these reasons, revocation lists are inconvenient and unreliable. Therefore, operators of secure servers are reluctant to employ this mechanism.
The present invention is a method and computer program product for accessing a secure resource using a certificate bound with authentication information.
In one implementation, the method includes receiving a certificate request from a user, the certificate request including identification information and authentication information associated with the user; verifying the identification information; issuing a certificate to the user when the identification information is verified; and sending the authentication information and a certificate identifier for the certificate to an authentication server.
According to one aspect, the sending step includes signing a combination of the authentication information and the certificate identifier to form a unique user identifier; signing the authentication information; and sending the unique user identifier to the authentication server.
According to one aspect, the authentication information includes at least one of a password, smartcard information, and biometric information.
According to one aspect, the biometric information includes information describing at least one of a fingerprint, facial scan, voice print, or iris scan of the user.
In one implementation, the method includes receiving a certificate for a user and a request for access for the user to the secure server; sending an authentication query regarding the user to an authentication server; receiving a delta in response to the authentication query, the delta indicating the amount of time that has passed since the user was last authenticated by the authentication server; comparing the delta to a predefined threshold; and granting access when the predefined threshold exceeds the delta.
According to one aspect, the method also includes denying access when the delta exceeds the predefined threshold.
In one implementation, the method includes sending a request for access to a secure server, the request containing a certificate associated with a user; sending the certificate and authentication information to an authentication server when the secure server denies access; and sending the certificate and request to the secure server again when an indication of authentication is received from the authentication server.
In one implementation, the method includes receiving, from a secure server, a request to authenticate a user; determining a delta indicating the amount of time that has passed since the user was last authenticated by the authentication server; and sending the delta to the secure server.
In one implementation, the method also includes receiving a certificate and authentication information from a user that has been denied access to a secure server; authenticating the user based on the certificate, the received authentication information, and stored authentication information associated with the certificate; and resetting the delta when the user is authenticated.
Further features and advantages of the present invention as well as the structure and operation of various implementations of the present invention are described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers indicate identical or functionally similar elements. Additionally, the left-most digit of a reference number identifies the drawing in which the reference number first appears.